How to Treat the Heartbleed BugExperts Prescribe Security Patches and Password Protection
Security thought-leaders agree that the newly discovered Heartbleed bug is a serious threat, but what are the specific risks, and how can they be mitigated?
See Also: HIPAA Audits: A Revised Game Plan
Information Security Media Group polled security experts in banking, government and healthcare, as well as the research and vendor communities, for insights on Heartbleed and how organizations should respond to it.
John LaCour of PhishLabs, an online security firm that tracks cyber-attacks, says the seriousness of the vulnerability cannot be overstated. "SSL is designed for the purpose of securing sensitive information like authentication credentials," he says. "The Heartbleed vulnerability makes it possible for an attacker to compromise whatever it is that is meant to be protected and potentially all communications over SSL."
Heartbleed exposes a flaw in OpenSSL, a cryptographic tool that provides communication security and privacy over the Internet for applications such as web, e-mail, instant messaging and some virtual private networks (see: Heartbleed Bug: What You Need to Know).
"The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software," says Codenomicon, the Finland-based security vendor that discovered the bug, along with a researcher at Google Security. "This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users."
Codenomicon says Fixed OpenSSL has been released and needs to be deployed now across websites vulnerable to the bug. Operating system vendors and distribution, appliance vendors and independent software vendors need to adopt the fix and notify their users, Codenomicon says. "Service providers and users have to install the fix as it becomes available for the operating systems, networked appliance and software they use."
Additionally, organizations can use this online tool to see if their website is vulnerable.
Noted security expert and blogger Bruce Schneier calls the exploit "catastrophic."
"Half a million sites are vulnerable, including my own," Schneier says in a blog. "On the scale of 1 to 10, this is an 11."
Healthcare information security expert Brian Evans warns organizations are likely affected either directly or indirectly. "This means that users are vulnerable to having their passwords and other sensitive data compromised," says Evans, a principal at Tom Walsh Consulting.
Alan Brill, senior managing director at the security advisory firm Kroll Solutions, says the notion that open source technologies are often more open to inspection and "more secure" isn't always the case. "The lesson is simple," he says. "Any software or hardware can fail."
The Heartbleed bug highlights the risk that encryption keys can be stolen, says Richard Moulds, VP of strategy at Thales e-Security, a data security company. "Once again the importance of sound key management has been brought into sharp focus," he says. "An attacker that can access these keys can decrypt any data that has been previously encrypted using those keys and probably any future data until each key is changed."
Jean Taggart, senior security researcher at Malwarebytes, an anti-malware firm, says the Heartbleed bug "impacts the fabric beneath secure communications on the web. A cursory search illustrates there are a large number of likely vulnerable servers."
And Taggart warns that fixing the bug won't be easy. "Even though security professionals can roll out an upgrade, many will not reset their certificates as this is a difficult and lengthy task," he says. "If they were compromised prior to the announcement of the bug, [organizations'] private keys might already be in the hands of adversaries, and their encrypted communications could be intercepted by third parties."
How to Mitigate the Risks
Security expert William Hugh Murray, a management consultant and trainer in information assurance, says organizations shouldn't panic over the exploit, saying that the threat is low. "Corrected implementations are already available," he says. "Look at your vendors. After the fix is applied, change your keys. In an excess of caution, you may then want to suggest that customers change their passwords."
Adam Allred, research scientist at the Georgia Tech Information Security Center, agrees with Murray. "I believe that any panic is undue," he says. "I would not suggest panic, knee-jerk reactions, or other overly disruptive actions in response to this or any other vulnerability."
Allred continues: "I would suggest handling this vulnerability immediately, carefully, and with a steady but constant pace until it is mitigated."
Evans of Tom Walsh Consulting says organizations need to first determine to what extent they're affected. "This should include business associate relationships and vendors, hosted and supported patient portals and any activity requiring a web browser," he says. "Do not log into accounts from these affected sites until you've confirmed that the business associate or vendor has patched the problem."
Additionally, organizations should clear their browsing history, session keys and session cookies, Evans says. "And do not opt for the 'save my password' option on your browser until the bug issue gets resolved," he explains. "Once you've received confirmation of a security patch being applied, then change passwords on sensitive accounts. Changing passwords before the patch may only exacerbate the situation."
Moulds of Thales e-Security says attacks such as Heartbleed have caused many to question the value of encryption, "but in reality we are witnessing the exploitation of poor implementations and weak key management rather than discovering fundamental flaws," he says.
"To combat these increasingly sophisticated attacks organizations should strongly consider using hardened and independently certified key management devices such as hardware security modules to protect these critical systems," Moulds says.
Brill of Kroll Solutions says organizations need to be ready to act when software or hardware fail. "Whether that action involves having backup systems, alternative processing arrangements or anything else, you have to look at every aspect of your systems and say, 'What if?'" Brill says. "The first step in preparedness is recognizing the potential vulnerability."
Attorney Ronald Raether of law firm Faruki Ireland and Cox PLL says the Heartbleed bug shows an over reliance on encryption when it comes to security. "You cannot protect information by simply relying on one measure of protection," he says. "The concept of layered security, or what is commonly called 'security in depth,' is nothing new and is a rather simple concept to comprehend."
Components of a layered approach, Raether contends, should include people, governance through sound policy and procedures, and technology. "A holistic approach is required," he says.
The following resources are available regarding the Heartbleed bug:
- Heartbleed.com: This site is run by Codenomicon, the security firm that took part in the discovery of the OpenSSL exploit. It details the exploit and offers an FAQ for organizations;
- Carnegie Mellon SEI CERT: The advisory organization has offered additional information on Heartbleed and offers solutions organizations can put into effect to mitigate their risks;
- Heartbleed Bug Testing Site: Organizations can enter the hostname of a server and test to see if they're impacted by the OpenSSL vulnerability;
- Fixed OpenSSL: A fixed update to OpenSSL has been released and needs to be deployed across websites vulnerable to the bug.
(Executive Editor Tracy Kitten and Managing Editor Marianne Kolbasuk McGee contributed to this story.)